What?! such a few functions, suspicious entry point, few imports, high entropy, they are signs of the packed executable:

Let’s open in x32dbg and unpack it.

MPRESS makes programs and libraries smaller, and decrease start time when the application loaded from a slow removable media or from the network.

MPRESS is a generic packer, it’s not created for protecting applications, because of it, it’s very easy to unpack apps packed with it.

At the entry point, there is pushad instruction, it’s very common for packers, such as UPX,
it saves all register values at the stack and after unpacking application it restores using popa(d) instruction.

There are many ways to unpack such packed files, let’s use one of them, after saving register values at the stack, set the hardware breakpoint at any pushed register values and run:

…and we hit popad instruction:

Let’s follow to jmp, probably there are unpacked instructions:

There is except_handler3 from C++ and several other normal functions. Seems like it’s unpacked.

Let’s dump it using x32dbg’s built-in plugin Scylla.

Plugin->Scylla->IAT Autosearch->Get Imports->Dump->Fix Dump

…and open in IDA pro:

There are WinMain and std functions, it’s unpacked, you can download unpacked version from hyberid-analysis.

Open unpacked sample in IDA pro and dive deep.

In WinMain function it checks command line arguments, and if there is -l option it creates lic.txt file:

At 00403BC7 it creates Mutex, and if there is one, it terminates itself:

At 00403BDE gets function addresses using LoadLibraryA, GetProcAddress, at 00403C09 gets product name from SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName, at 00403C28 checks if process is under 64-bit windows:

Checks if the process is executed with admin privileges:

Possibly, RAT will send this information to C&C.

Seems like at 00403D5D function gets directory path based on configuration: